Mfillpot's Slackware Firewall Script
From TWUUG
The information below is a rc.firewall script developed by mfillpot.
This is currently a work in progress so some things do not work properly or are incomplete.
--mfillpot 17:56, 3 February 2011 (EST)
#!/bin/bash # iptables firewall script by matthew fillpot # Partially derived from AlienBOB's firewall generator # http://connie.slackware.com/~alien/efg/index.php # Local Settings # # sysctl location. If set, it will use sysctl to adjust the kernel parameters. # If this is set to the empty string (or is unset), the use of sysctl # is disabled. SYSCTL="/sbin/sysctl -w" # To echo the value directly to the /proc file instead # SYSCTL="" # IPTables Location - adjust if needed IPT="/usr/sbin/iptables" IPTS="/usr/sbin/iptables-save" IPTR="/usr/sbin/iptables-restore" # Internet Interface INET_IFACE="eth0" # Localhost Interface LO_IFACE="lo" LO_IP="127.0.0.1" LOC_SUB="192.168.1.1/24" # SET COLORS RED=$'\e[31;01m' BLUE=$'\e[34;01m' GREEN=$'\e[32;01m' NORMAL=$'\e[0m' # Save and Restore arguments handled here #if [ "$1" = "save" ] #then # echo -n "Saving firewall to /etc/sysconfig/iptables ... " # $IPTS > /etc/sysconfig/iptables # echo "done" # exit 0 #elif [ "$1" = "restore" ] #then # echo -n "Restoring firewall from /etc/sysconfig/iptables ... " # $IPTR < /etc/sysconfig/iptables # echo "done" # exit 0 #fi ####################################################### fw_start() { # Display a message stating the firewall is starting echo "${BLUE}Firewall is being configured.....${NORMAL}" # Flush the current rules flush_rules # load the appropriate kernel modules load_modules # load the necessary kernel bits load_kernel_bits # Make the user Chains make_chains # Allow all on localhost interface $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT # Accept Established Connections $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \ -j ACCEPT # check for bad packets check_bad_packets # Drop bad packets $IPT -A INPUT -p ALL -j bad_packets # check the icmp packets check_icmp # Open ports for selected services check_services #### INPUT ############################################### # Add the rules for specific packet types udp_out udp_in tcp_out tcp_in # Route the rest to the appropriate user chain $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # Drop without logging broadcasts that get this far. # Cuts down on log clutter. # Comment this line if testing new rules that impact # broadcast protocols. $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP # Log packets that still don't match #$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP " #### OUTPUT ############################################### # Generally trust the firewall on output # However, invalid icmp packets need to be dropped # to prevent a possible exploit. $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP # Localhost $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT # To internet $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # Log packets that still don't match #$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP " ############################################################################### # block all other incoming traffic # $IPT -A INPUT -j DROP # Display a message stating the firewall has been started echo "${BLUE}Firewall Started.....${NORMAL}" } fw_stop() { # Flush all rules flush_rules echo "${RED}Firewall Stopped.....${NORMAL}" } flush_rules() { #echo "Start flush" # Flush all rules $IPT -F #$IPT -L # $IPT -X bad_packets # $IPT -X bad_tcp_packets # $IPT -X icmp_packets # $IPT -X udp_inbound # $IPT -X udp_outbound # $IPT -X tcp_inbound # $IPT -X tcp_outbound #echo "Flush Complete" } ####################################################### load_modules() { # Load Modules # # You should uncomment the line below and run it the first time just to # ensure all kernel module dependencies are OK. There is no need to run # every time, however. # /sbin/depmod -a # Unless you have kernel module auto-loading disabled, you should not # need to manually load each of these modules. Other than ip_tables, # ip_conntrack, and some of the optional modules, I've left these # commented by default. Uncomment if you have any problems or if # you have disabled module autoload. Note that some modules must # be loaded by another kernel module. # core netfilter module /sbin/modprobe ip_tables # the stateful connection tracking module /sbin/modprobe ip_conntrack # filter table module # /sbin/modprobe iptable_filter # mangle table module # /sbin/modprobe iptable_mangle # nat table module # /sbin/modprobe iptable_nat # LOG target module # /sbin/modprobe ipt_LOG # This is used to limit the number of packets per sec/min/hr /sbin/modprobe ipt_limit # masquerade target module # /sbin/modprobe ipt_MASQUERADE # filter using owner as part of the match # /sbin/modprobe ipt_owner # REJECT target drops the packet and returns an ICMP response. # The response is configurable. By default, connection refused. # /sbin/modprobe ipt_REJECT # This target allows packets to be marked in the mangle table # /sbin/modprobe ipt_mark # This target affects the TCP MSS # /sbin/modprobe ipt_tcpmss # This match allows multiple ports instead of a single port or range # /sbin/modprobe multiport # This match checks against the TCP flags # /sbin/modprobe ipt_state # This match catches packets with invalid flags # /sbin/modprobe ipt_unclean # the module for full irc connection tracking /sbin/modprobe ip_conntrack_irc ##################################################################### # Kernel Parameter Configuration # # See http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html # for a detailed tutorial on sysctl and the various settings # available. # Required to enable IPv4 forwarding. # Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true # Alternatively, it can be set in /etc/sysctl.conf #if [ "$SYSCTL" = "" ] #then # echo "1" > /proc/sys/net/ipv4/ip_forward #else # $SYSCTL net.ipv4.ip_forward="1" #fi # This enables dynamic address hacking. # This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\). if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/ip_dynaddr else $SYSCTL net.ipv4.ip_dynaddr="1" fi # This enables SYN flood protection. # The SYN cookies activation allows your system to accept an unlimited # number of TCP connections while still trying to give reasonable # service during a denial of service attack. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/tcp_syncookies else $SYSCTL net.ipv4.tcp_syncookies="1" fi # This enables source validation by reversed path according to RFC1812. # In other words, did the response packet originate from the same interface # through which the source packet was sent? It's recommended for single-homed # systems and routers on stub networks. Since those are the configurations # this firewall is designed to support, I turn it on by default. # Turn it off if you use multiple NICs connected to the same network. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter else $SYSCTL net.ipv4.conf.all.rp_filter="1" fi # This option allows a subnet to be firewalled with a single IP address. # It's used to build a DMZ. Since that's not a focus of this firewall # script, it's not enabled by default, but is included for reference. # See: http://www.sjdjweis.com/linux/proxyarp/ #if [ "$SYSCTL" = "" ] #then # echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #else # $SYSCTL net.ipv4.conf.all.proxy_arp="1" #fi # The following kernel settings were suggested by Alex Weeks. Thanks! # This kernel parameter instructs the kernel to ignore all ICMP # echo requests sent to the broadcast address. This prevents # a number of smurfs and similar DoS nasty attacks. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts else $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1" fi # This option can be used to accept or refuse source routed # packets. It is usually on by default, but is generally # considered a security risk. This option turns it off. if [ "$SYSCTL" = "" ] then echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route else $SYSCTL net.ipv4.conf.all.accept_source_route="0" fi # This option can disable ICMP redirects. ICMP redirects # are generally considered a security risk and shouldn't be # needed by most systems using this generator. #if [ "$SYSCTL" = "" ] #then # echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects #else # $SYSCTL net.ipv4.conf.all.accept_redirects="0" #fi # However, we'll ensure the secure_redirects option is on instead. # This option accepts only from gateways in the default gateways list. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects else $SYSCTL net.ipv4.conf.all.secure_redirects="1" fi # This option logs packets from impossible addresses. #if [ "$SYSCTL" = "" ] #then # echo "1" > /proc/sys/net/ipv4/conf/all/log_martians #else # $SYSCTL net.ipv4.conf.all.log_martians="1" #fi } load_kernel_bits() { # Drop ICMP echo-request messages sent to broadcast or multicast addresses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Drop source routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN cookie protection from SYN floods echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Don't accept ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don't send ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Enable source address spoofing protection echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible source addresses #echo 1 > /proc/sys/net/ipv4/conf/all/log_martians } make_chains() { # User-Specified Chains # Create a chain to filter INVALID packets $IPT -N bad_packets # Create another chain to filter bad tcp packets $IPT -N bad_tcp_packets # Create separate chains for icmp, tcp (incoming and outgoing), # and incoming udp packets. $IPT -N icmp_packets # Used for UDP packets inbound from the Internet $IPT -N udp_inbound # Used to block outbound UDP services from internal network # Default to allow all $IPT -N udp_outbound # Used to allow inbound services if desired # Default fail except for established sessions $IPT -N tcp_inbound # Used to block outbound services from internal network # Default to allow all $IPT -N tcp_outbound } check_bad_packets() { # bad_packets chain # # Drop INVALID packets immediately #$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \ # --log-prefix "fp=bad_packets:1 a=DROP " $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP # Then check the tcp packets for additional problems $IPT -A bad_packets -p tcp -j bad_tcp_packets # All good, so return $IPT -A bad_packets -p ALL -j RETURN # bad_tcp_packets chain # # All tcp packets will traverse this chain. # Every new connection attempt should begin with # a syn packet. If it doesn't, it is likely a # port scan. This drops packets in state # NEW that are not flagged as syn packets. #$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ # --log-prefix "fp=bad_tcp_packets:1 a=DROP " #$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP #$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \ # --log-prefix "fp=bad_tcp_packets:2 a=DROP " #$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP #$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \ # --log-prefix "fp=bad_tcp_packets:3 a=DROP " #$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP #$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \ # --log-prefix "fp=bad_tcp_packets:4 a=DROP " #$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # #$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \ # --log-prefix "fp=bad_tcp_packets:5 a=DROP " #$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # #$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \ # --log-prefix "fp=bad_tcp_packets:6 a=DROP " #$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \ # --log-prefix "fp=bad_tcp_packets:7 a=DROP " #$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP } check_icmp() { # icmp_packets chain # # This chain is for inbound (from the Internet) icmp packets only. # Type 8 (Echo Request) is not accepted by default # Enable it if you want remote hosts to be able to reach you. # 11 (Time Exceeded) is the only one accepted # that would not already be covered by the established # connection rule. Applied to INPUT on the external interface. # # See: http://www.ee.siue.edu/~rwalden/networking/icmp.html # for more info on ICMP types. # # Note that the stateful settings allow replies to ICMP packets. # These rules allow new packets of the specified types. # ICMP packets should fit in a Layer 2 frame, thus they should # never be fragmented. Fragmented ICMP packets are a typical sign # of a denial of service attack. $IPT -A icmp_packets --fragment -p ICMP -j LOG \ --log-prefix "fp=icmp_packets:1 a=DROP " $IPT -A icmp_packets --fragment -p ICMP -j DROP # Echo - uncomment to allow your system to be pinged. # Uncomment the LOG command if you also want to log PING attempts # # $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \ # --log-prefix "fp=icmp_packets:2 a=ACCEPT " # $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT # By default, however, drop pings without logging. Blaster # and other worms have infected systems blasting pings. # Comment the line below if you want pings logged, but it # will likely fill your logs. $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP # Time Exceeded $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # Not matched, so return so it will be logged $IPT -A icmp_packets -p ICMP -j DROP ############ MY RULES ############################ # Allow pings per minute to block ping DOS attacks # $IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 4/m -j ACCEPT # Allow all echo replies including destination unreachable and time exceeded # $IPT -A icmp_packets -p icmp --icmp-type echo-reply -j ACCEPT # $IPT -A icmp_packets -p icmp --icmp-type destination-unreachable -j ACCEPT # $IPT -A icmp_packets -p icmp --icmp-type time-exceeded -j ACCEPT # Block all other icmp traffic # $IPT -A icmp_packets -p icmp -j DROP } udp_out() { # udp_outbound chain # # This chain is used with a private network to prevent forwarding for # UDP requests on specific protocols. Applied to the FORWARD rule from # the internal network. Ends with an ACCEPT # No match, so ACCEPT $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT } udp_in() { # udp_inbound chain # # This chain describes the inbound UDP packets it will accept. # It's applied to INPUT on the external or Internet interface. # Note that the stateful settings allow replies. # These rules are for new requests. # It drops netbios packets (windows) immediately without logging. # Drop netbios calls # Please note that these rules do not really change the way the firewall # treats netbios connections. Connections from the localhost and # internal interface (if one exists) are accepted by default. # Responses from the Internet to requests initiated by or through # the firewall are also accepted by default. To get here, the # packets would have to be part of a new request received by the # Internet interface. You would have to manually add rules to # accept these. I added these rules because some network connections, # such as those via cable modems, tend to be filled with noise from # unprotected Windows machines. These rules drop those packets # quickly and without logging them. This prevents them from traversing # the whole chain and keeps the log from getting cluttered with # chatter from Windows systems. $IPT -A udp_inbound -p UDP -s 0/0 --dport 137 -j DROP $IPT -A udp_inbound -p UDP -s 0/0 --dport 138 -j DROP # Ident requests (Port 113) must have a REJECT rule rather than the # default DROP rule. This is the minimum requirement to avoid # long delays while connecting. Also see the tcp_inbound rule. $IPT -A udp_inbound -p UDP -s 0/0 --dport 113 -j REJECT # A more sophisticated configuration could accept the ident requests. # $IPT -A udp_inbound -p UDP -s 0/0 --dport 113 -j ACCEPT # Dynamic Address # If DHCP, the initial request is a broadcast. The response # doesn't exactly match the outbound packet. This explicitly # allow the DHCP ports to alleviate this problem. # If you receive your dynamic address by a different means, you # can probably comment this line. $IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --dport 68 \ -j ACCEPT # Not matched, so return for logging $IPT -A udp_inbound -p UDP -j DROP } tcp_out() { # tcp_outbound chain # # This chain is used with a private network to prevent forwarding for # requests on specific protocols. Applied to the FORWARD rule from # the internal network. Ends with an ACCEPT # No match, so ACCEPT $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT } tcp_in() { # tcp_inbound chain # # This chain is used to allow inbound connections to the # system/gateway. Use with care. It defaults to none. # It's applied on INPUT from the external or Internet interface. # Ident requests (Port 113) must have a REJECT rule rather than the # default DROP rule. This is the minimum requirement to avoid # long delays while connecting. Also see the tcp_inbound rule. $IPT -A tcp_inbound -p TCP -s 0/0 --dport 113 -j REJECT # Not matched, so return so it will be logged $IPT -A tcp_inbound -p TCP -j DROP } ####################################################### check_services() { # choose services to allow Srv=1 # For items with values listed $1 = WEB or LOCAL # Otherwise it assumes LOCAL of WEB based upon the type of service #enable_cups LOCAL enable_httpd LOCAL #enable_httpd_encrypted WEB #enable_ftp LOCAL #FTP does not allow all packets to transfer yet, it needs to be refined #enable_samba LOCAL #enable_sshd LOCAL #enable_mysql LOCAL # $2 = non-PASV or PASV #enable_ftpd LOCAL non-PASV # Not tested # Local only services #enable_dns # Web facing services #enable_icq #enable_msn } enable_cups() { SRV="cups printing" case "$1" in "LOCAL") $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 631 -j ACCEPT echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; "WEB") $IPT -A tcp_inbound -p TCP -s 0/0 --dport 631 -j ACCEPT echo "${RED}Allowing $SRV for all hosts.....${NORMAL}" ;; *) $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 631 -j ACCEPT echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; esac } enable_httpd() { SRV="http web-server" case "$1" in "LOCAL") $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 80 -j ACCEPT echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; "WEB") $IPT -A tcp_inbound -p TCP -s 0/0 --dport 80 -j ACCEPT echo "${RED}Allowing $SRV for all hosts.....${NORMAL}" ;; *) $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 80 -j ACCEPT echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; esac } enable_httpd_encrypted() { SRV="encrypted http web-server" case "$1" in "LOCAL") $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 443 -j ACCEPT echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; "WEB") $IPT -A tcp_inbound -p TCP -s 0/0 --dport 443 -j ACCEPT echo "${RED}Allowing $SRV for all hosts.....${NORMAL}" ;; *) $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 443 -j ACCEPT echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; esac } enable_ftp() { SRV="ftp server" case "$1" in "LOCAL") $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 21 -j ACCEPT #$IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 20 -j ACCEPT #$IPT -A tcp_inbound -p UDP -s $LOC_SUB --dport 21 -j ACCEPT #$IPT -A tcp_inbound -p UDP -s $LOC_SUB --dport 20 -j ACCEPT echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; "WEB") $IPT -A tcp_inbound -p TCP -s 0/0 --dport 21 -j ACCEPT #$IPT -A tcp_inbound -p TCP -s 0/0 --dport 20 -j ACCEPT #$IPT -A tcp_inbound -p UDP -s 0/0 --dport 21 -j ACCEPT #$IPT -A tcp_inbound -p UDP -s 0/0 --dport 20 -j ACCEPT echo "${RED}Allowing $SRV for all hosts.....${NORMAL}" ;; *) $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 21 -j ACCEPT #$IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 20 -j ACCEPT #$IPT -A tcp_inbound -p UDP -s $LOC_SUB --dport 21 -j ACCEPT #$IPT -A tcp_inbound -p UDP -s $LOC_SUB --dport 20 -j ACCEPT echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; esac } enable_samba() { SRV="samba" case "$1" in "LOCAL") $IPT -A udp_inbound -p UDP -s $LOC_SUB --dport 137:138 -j ACCEPT $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 139 -j ACCEPT $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 445 -j ACCEPT echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; "WEB") $IPT -A udp_inbound -p UDP -s 0/0 --dport 137:138 -j ACCEPT $IPT -A tcp_inbound -p TCP -s 0/0 --dport 139 -j ACCEPT $IPT -A tcp_inbound -p TCP -s 0/0 --dport 445 -j ACCEPT echo "${RED}Allowing $SRV for all hosts.....${NORMAL}" ;; *) $IPT -A udp_inbound -p UDP -s $LOC_SUB --dport 137:138 -j ACCEPT $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 139 -j ACCEPT $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 445 -j ACCEPT echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; esac } enable_sshd() { SRV="ssh" case "$1" in "LOCAL") $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport ssh -j ACCEPT echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; "WEB") $IPT -A tcp_inbound -p TCP -s 0/0 --dport ssh -j ACCEPT echo "${RED}Allowing $SRV for all hosts.....${NORMAL}" ;; *) $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport ssh -j ACCEPT echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; esac } enable_mysql() { SRV="mysql" case "$1" in "WEB") SUB="0/0" TRM="all" ;; *) SUB=$LOC_SUB TRM="local" ;; esac $IPT -A tcp_inbound -p TCP -s $SUB --dport 22 -j ACCEPT echo "${GREEN}Allowing $SRV for $TRM hosts.....${NORMAL}" } enable_ftpd() { # Passive FTP # # With passive FTP, the server provides a port to the client # and allows the client to initiate the connection rather # than initiating the connection with the client from the data port. # Web browsers and clients operating behind a firewall generally # use passive ftp transfers. A general purpose FTP server # will need to support them. # # However, by default an FTP server will select a port from the entire # range of high ports. It is not particularly safe to open all # high ports. Fortunately, that range can be restricted. This # firewall presumes that the range has been restricted to a specific # selected range. That range must also be configured in the ftp server. # # Instructions for specifying the port range for the wu-ftpd server # can be found here: # http://www.wu-ftpd.org/man/ftpaccess.html # (See the passive ports option.) # # Instructions for the ProFTPD server can be found here: # http://proftpd.linux.co.uk/localsite/Userguide/linked/x861.html # the module for full ftp connection tracking /sbin/modprobe ip_conntrack_ftp # The ftp nat module is required for non-PASV ftp support #/sbin/modprobe ip_nat_ftp # FTP Server (Control) # $IPT -A tcp_inbound -p TCP -s 0/0 --dport 21 -j ACCEPT # FTP Client (Data Port for non-PASV transfers) # $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT SRV="ftp" case "$1" in "LOCAL") $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 21 -j ACCEPT case "$2" in "non-PASV") $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT /sbin/modprobe ip_nat_ftp ;; esac echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; "WEB") $IPT -A tcp_inbound -p TCP -s 0/0 --dport 21 -j ACCEPT case "$2" in "non-PASV") $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT /sbin/modprobe ip_nat_ftp ;; esac echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; *) $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 21 -j ACCEPT case "$2" in "non-PASV") $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT /sbin/modprobe ip_nat_ftp ;; esac echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}" ;; esac } enable_dns() { $IPT -A udp_inbound -p UDP -s 0/0 --dport 53 -j ACCEPT } enable_icq() { # ICQ File Transfers & Other Advanced Features # # ICQ supports a number of options beyond simple instant messaging. # For those to function, the instant messaging system must allow # new connections initiated from remote systems. This option will # open a specified port range on the firewalled system. The ICQ client # on the firewalled system must also be configured to use the specified # port range. $IPT -A tcp_inbound -p TCP -s 0/0 --dport 5000:5100 -j ACCEPT } enable_msn() { # MSN Messenger File Transfers # # Messenger supports file transfers. For transfers initiated by # remote systems to function, the system must allow # new connections initiated from remote systems a specific port range. # This option defaults to the port range 6891 through 6900. # Unless the MSN Messenger client can be configured to specify any # port range, don't change the default. $IPT -A tcp_inbound -p TCP -s 0/0 --dport 6891:6900 -j ACCEPT } ####################################################### case "$1" in start) fw_start ;; stop) fw_stop ;; restart) fw_stop fw_start ;; *) echo $"Usage: $0 {start|stop|restart}" ;; esac # TO-DO # flush all chains --flush # Delete all chains -X # zero all counters in all chains -S (chain) # make module to simplify services